How can I retrieve and restore a deleted user account in Active Directory?

When working with a directory service like Active Directory, restoring deleted users can be challenging. Identity and access management expert Joel Dubin advises on how to manage users efficiently.

Fortunately, Active Directory (AD) has a feature for restoring accidentally deleted user accounts. The problem in AD is not only bringing the lost account back to life, but also returning the account to its old group. The fix for restoring accounts is also tied with the fix for repairing and bringing back inadvertently deleted groups and objects. This is because accounts are often lost in bulk due to an erroneously deleted object holding...

multiple accounts. This tip examines how to use this Active Directory security feature.

First, as a preventative measure, Microsoft recommends taking steps to prevent administrators from being able to delete objects in bulk. They recommend using the ADSIEdit, LDP or DSACLS command-line tools to set the access control entry (ACE) to "deny" on the security descriptor of every object and its parent.

Barring that, Microsoft recommends three ways to restore deleted users. The first is to restore the accounts using the Ntdsutil command-line tool, which is only available on Microsoft Windows Server 2003 with Service Pack 1, and then adding them to their groups. The second, without the tool, is to use the most current system state backup of the global catalogue in the user's domain controller. This of course, has to be done before the current global catalogue has replicated and overwritten the backup.

The third method is to restore both the deleted user and his or her security groups twice. Microsoft says the process has to be repeated to repair group membership information, which may not be fully restored in one go around.

There are also other manual restoration methods in the Microsoft Knowledge Base at KB 840001. The article is an excellent reference with details and step-by-step instructions on how to restore Active Directory accounts.


This was first published in February 2009

Dig deeper on Microsoft identity and access management

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSecurity

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

ComputerWeekly

Close